U.S. Regulators Move to Classify Stablecoin Issuers as Financial Institutions and Expand KYC Rules
U.S. financial regulators have proposed bringing permitted payment stablecoin issuers (PPSIs) under the Bank Secrecy Act and requiring customer identity verification across the sector. For PSPs, banks, and stablecoin issuers, the practical message is simple: if you touch issuance, the compliance stack is getting heavier, and the rules are being written with banking-style controls in mind.
- The Federal Deposit Insurance Corporation (FDIC), the Federal Reserve, the Office of the Comptroller of the Currency (OCC), the National Credit Union Administration (NCUA), and the Financial Crimes Enforcement Network (FinCEN) introduced a proposed rule that would treat licensed payment stablecoin issuers as financial institutions under the Bank Secrecy Act. The proposal would require each issuer to build a comprehensive customer identification program (CIP) tailored to the size of the business and its risk profile.
- That CIP would need to cover verification procedures, collection and storage of identification data, and procedures for cases where a customer’s identity cannot be verified. Before opening an account, issuers would have to collect name, date of birth, address, and identification number. For individuals, acceptable documents could include passports and driver’s licenses; for companies, incorporation documents, licenses, and other official records confirming the legal entity’s existence.
- The retained data would have to be kept for at least 5 years after an account is closed. The proposal also requires issuers to screen customers against government lists of individuals and organizations linked to terrorism, maintain suspicious activity report procedures, and notify customers that their information is being collected for identification purposes. In other words, the proposal pushes stablecoin issuance closer to the standard bank onboarding playbook, with the usual AML/CFT (anti-money laundering/countering the financing of terrorism) machinery attached.
- Regulators estimate the rule could apply to approximately 50 PPSIs in each of the first three years of the GENIUS Act being effective. The Act took effect in July 2025, so this is not a theoretical compliance memo; it is the early framing for a live market that will have to operationalize the rules.
- The proposal also draws a line between direct issuer relationships and everything happening downstream in the secondary market. CIP requirements would apply only when the issuer deals directly with the customer. Transactions through exchanges, wallets, or smart contracts without direct contact with the issuer would not be covered by these rules. Issuers that are subsidiaries of insured depository institutions would be allowed to use their parent banks’ identification infrastructure, and they could also rely on identification procedures performed by other federally regulated financial institutions if there is a relevant agreement in place and AML/CFT requirements are met.
For high-risk operators and their payment partners, the useful detail is that U.S. regulators are not just asking for KYC in the abstract. They are mapping stablecoin issuance onto existing banking controls, then carving out where the obligation stops: at the direct customer relationship, not in the downstream circulation of the token.
Weekly high-risk digest
Regulation, sanctions and payment news across your verticals — once a week, free.
Please check your inbox and click the link to confirm your subscription.
Please enter a valid email address!